Posted
by
samzenpus
on Monday March 17, 2014 @01:04AM
from the no-code-for-you dept.

Bismillah writes "If Attorney-General Brandis gets his way in the process of revising Australia's Telecommunications Interception Act, users and providers of VPNs and other encrypted services will by law be required to decrypt government intercepted data. Because, 'sophisticated criminals and terrorists.' New Zealand already has a similar law, the Telecommunications Interception and Computer Security Act. Apparently, large Internet service providers such as Microsoft and Facebook won't be exempt from the TICSA and must facilitate interception of traffic."

Posted
by
timothy
on Friday September 06, 2013 @09:01PM
from the aren't-you-glad-to-be-so-fully-protected? dept.

Ars Technica reports that security researcher Rob Graham of Errata Security, after analyzing nearly 23,000 Tor connections through an exit node that Graham controls, believes that the encryption used by a majority of Tor users could be vulnerable to NSA decryption: "About 76 percent of the 22,920 connections he polled used some form of 1024-bit Diffie-Hellman key," rather than stronger elliptic curve encryption. More from the article: "'Everyone seems to agree that if anything, the NSA can break 1024 RSA/DH keys,' Graham wrote in a blog post published Friday. 'Assuming no "breakthroughs," the NSA can spend $1 billion on custom chips that can break such a key in a few hours. We know the NSA builds custom chips, they've got fairly public deals with IBM foundries to build chips.' He went on to cite official Tor statistics to observe that only 10 percent of Tor servers are using version 2.4 of the software. That's the only Tor release that implements elliptical curve Diffie-Hellman crypto, which cryptographers believe is much harder to break. The remaining versions use keys that are presumed to be weaker."

Posted
by
Soulskill
on Friday June 21, 2013 @11:20AM
from the hop-online-and-disappoint-some-intelligence-agents dept.

An anonymous reader sends this news from Ars Technica:
"Using online anonymity services such as Tor or sending encrypted e-mail and instant messages are grounds for U.S.-based communications to be retained by the National Security Agency, even when they're collected inadvertently, according to a secret government document published Thursday. ...The memos outline procedures NSA analysts must follow to ensure they stay within the mandate of minimizing data collected on U.S. citizens and residents. While the documents make clear that data collection and interception must cease immediately once it's determined a target is within the U.S., they still provide analysts with a fair amount of leeway. And that leeway seems to work to the disadvantage of people who take steps to protect their Internet communications from prying eyes. For instance, a person whose physical location is unknown—which more often than not is the case when someone uses anonymity software from the Tor Project—"will not be treated as a United States person, unless such person can be positively identified as such, or the nature or circumstances of the person's communications give rise to a reasonable belief that such person is a United States person," the secret document stated.'"

Posted
by
timothy
on Tuesday January 22, 2013 @08:41AM
from the all-a-mpaa-front-anyhow dept.

twoheadedboy writes "Kim Dotcom launched his new project Mega on Sunday, claiming it was to be 'the privacy company.' But it might not be so private after all, as security professionals have ripped it to shreds. There are numerous problems with how encryption is handled, an XSS flaw and users can't change their passwords, they say. But there are suspicions Mega is handing out encryption keys to users and touting strong security to cover its own back. After all, if Kim Dotcom and Co don't know what goes on the site, they might not be liable for copyright prosecutions, as they were for Megaupload, Mega's preprocessor." On this front, reader mask.of.sanity points out a tool in development called MegaCracker that could reveal passwords as users sign up for the site.

Posted
by
Unknown Lamer
on Monday December 26, 2011 @11:17PM
from the 32-bits-ought-be-enough-for-anyone dept.

kfogel writes "Asheesh Laroia now has two GPG different keys with the same short ID (70096AD1) circulating on keyservers. One of them is an older 1024-bit DSA key, the other is a newer 4096-bit RSA key. Oops. Asheesh argues that GPG's short IDs are too short to be the default anymore — collisions are too easy to create: he did it on purpose and openly, but others could do it on purpose and secretly. More discussion (and a patch by dkg) are in this bug report."

Posted
by
Soulskill
on Saturday June 04, 2011 @10:29PM
from the go-big-or-go-home dept.

crutchy writes "When I was setting up my secure website I got really paranoid about SSL encryption, so I created a certificate using OpenSSL for SHA-512 encryption. I don't know much about SHA (except bits that I can remember from Wikipedia), but I figure that if you're going to go to the trouble (or expense) of setting up SSL, you may as well go for the best you can get, right? Also, what would be the minimum level of encryption required for, say, online banking? I've read about how SHA-1 was 'broken', but from what I can tell it still takes many hours. What is the practical risk to the real internet from this capability? Would a sort of rolling key be a possible next step, where each SSL-encrypted stream has its own private/public key pair generated on the fly, and things like passwords and bank account numbers were broken up and sent in multiple streams with different private/public key pairs? This would of course require more server grunt to generate these keys (or we could take a leaf from Google's book and just have separate server clusters designed solely for that job), but then if computing performance was a limiting factor, the threat to security of these hashes wouldn't be a problem in the first place."
(Continued below.)

Posted
by
timothy
on Friday March 25, 2011 @10:39PM
from the well-that'll-sure-end-their-troubles dept.

An anonymous reader writes "Microsoft has removed HTTPS from Hotmail for many US-embargoed or otherwise troubled countries. The current list of countries for which they no longer enable HTTPS is known to include Bahrain, Morocco, Algeria, Syria, Sudan, Iran, Lebanon, Jordan, Congo, Myanmar, Nigeria, Kazakhstan, Uzbekistan, Turkmenistan, Tajikistan, and Kyrgyzstan. Journalists and others whose lives may be in danger due oppressive net monitoring in those countries may wish to use HTTPS everywhere and are also encouraged to migrate to non-Microsoft email providers, like Yahoo and Google."Update: 03/26 17:08 GMT by T: Reader Steve Gula adds the caveat that "Yahoo! only does HTTPS for authentication unless you're a paying member."

Posted
by
timothy
on Tuesday February 01, 2011 @10:58PM
from the trip-of-three-steps-down-the-palate dept.

An anonymous reader writes "Even as President Obama prepares to follow Mubarak with his own 'internet kill switch', Egyptians were turning to the Tor anonymiser to organise their protests online. The number of Egyptians connecting to the internet over Tor rose more than five-fold after protests broke out last week before crashing when the Government severed links to the global internet. Information security researcher, Tor coder and writer of the bridge that allowed Egypt's citizens to short-circuit government filters, Jacob Appelbaum, told SC Magazine Egyptians were 'concerned and some understand the risk of network traffic analysis.' Appelbaum has himself been the subject of attention from US security services who routinely snatch his electronics and search his belongings when he re-enters the country and who subpoenaed his private Twitter account last December." Which helps explain why Appelbaum is helping to organize a small fundraiser to get more communications gear into Egypt.

Posted
by
samzenpus
on Thursday January 27, 2011 @12:30AM
from the no-data-for-you dept.

aaardwark writes "After a leaked document from the department of justice showed police will be able to demand extensive private information for minor offenses, some Swedish ISPs have decided to fight back (translated article). By routing all traffic through VPN, they plan to make the gathered data pointless. ISP Bahnhof says they will give you the option to opt out of VPN, but giving up your privacy will cost extra."

Posted
by
Soulskill
on Friday December 31, 2010 @02:24PM
from the matter-of-time dept.

broggyr writes "Seems it didn't take long to hack the Windows Phone 7 marketplace. Quoting WPCentral: 'For developers, the weakness in Microsoft's DRM for Windows Phone 7 applications has been well known for quite some time, and there have been calls for Microsoft to address these concerns ... Since then, a "white hat" developer has provided WPCentral with a proof-of-concept program that can successfully pull any application from the Marketplace, remove the security and deploy to an unlocked Windows Phone with literally a push of a button. Alternatively, you could just save the cracked XAP file to your hard drive. Neither the app nor the methodology is public, and it will NOT be released ... It is important to note that this was all done within six hours by one developer.'"

Posted
by
CmdrTaco
on Tuesday September 14, 2010 @08:00AM
from the wow-that's-a-big-one dept.

solafide writes "The HDCP Master Key has allegedly been revealed. If true, this information will allow anyone to create their own source or sink keys, essentially making HDCP useless for content protection permanently. No word yet on how it was obtained, but if true, this is a great day for content freedom around the world!"

Posted
by
Soulskill
on Tuesday October 28, 2008 @11:07PM
from the you-can-win-but-only-if-you-don't-know-the-prize dept.

coondoggie sends this excerpt from NetworkWorld:
"The US Army Research Office and the National Security Agency (NSA) are together looking for some answers to their quantum physics questions. ... The Army said quantum algorithms that are developed should focus on constructive solutions [PDF] for specific tasks, and on general methodologies for expressing and analyzing algorithms tailored to specific problems — though they didn't say what those specific tasks were ... 'Investigators should presuppose the existence of a fully functional quantum computer and consider what algorithmic tasks are particularly well suited to such a machine. A necessary component of this research will be to compare the efficiency of the quantum algorithm to the best existing classical algorithm for the same problem.'"

Posted
by
Zonk
on Sunday November 18, 2007 @09:31PM
from the using-numbers-for-evil dept.

netbuzz writes "First we learn from Bruce Schneier that the NSA may have left itself a secret back door in an officially sanctioned cryptographic random-number generator. Now Adi Shamir is warning that a math error unknown to a chip makers but discovered by a tech-savvy terrorist could lead to serious consequences, too. Remember the Intel blunder of 1996? 'Mr. Shamir wrote that if an intelligence organization discovered a math error in a widely used chip, then security software on a PC with that chip could be "trivially broken with a single chosen message." Executing the attack would require only knowledge of the math flaw and the ability to send a "poisoned" encrypted message to a protected computer, he wrote. It would then be possible to compute the value of the secret key used by the targeted system.'"